topic Re: ASA unable to ping internet from DMZ in Network Security

ASA unable to ping internet from DMZ

mahesh18 — Tue, 12 Mar 2019 01:24:36 GMT

Hi Everyone,

I have setup 5505 ASA for Testing purposes.

It has static route to layer 3 switch on outside interface that goes to the internet.

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.11.1 to network 0.0.0.0

C 192.168.11.0 255.255.255.0 is directly connected, outside

C 192.168.52.0 255.255.255.0 is directly connected, inside

C 192.168.69.0 255.255.255.0 is directly connected, DMZ

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.11.1, outside

It has inside interface and users can access the internet from the inside interface no issues.

ITs also doing NAT fro inside users.

Now i want to setup the DMZ on this ASA.

HEre is what i have done

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

So with no forward int vlan 1 --------------the users in DMZ are unable to ping the inside interface right?

Now int eth0/1 on ASA goes to another layer 3 switch.

interface Ethernet0/1

switchport access vlan 12

Now this layer 3 switch has int fa0/1 that connects directly to ASA on eth0/1

sh run int fa0/1

Building configuration...

Current configuration : 95 bytes

interface FastEthernet0/1

switchport access vlan 12

switchport mode dynamic desirable

end

Switch#ping 192.168.69.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.69.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Switch#

My question is what default gateway should i config on this switch so that it can access the internet through ASA ?

Also users behind this switch should ping the internet sites.

also what NAT config i need to do on ASA so that users from DMZ has access to internet.

Config of ASA

sh run

ciscoasa# sh running-config

: Saved

ASA Version 8.2(5)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 11

interface Ethernet0/1

switchport access vlan 12

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

boot system disk0:/asa825-k8.bin

ftp mode passive

pager lines 24

logging enable

logging timestamp

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cda15b51

308201cf 30820138 a0030201 020204cd a15b5130 0d06092a 864886f7 0d010105

0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

86f70d01 09021608 63697363 6f617361 301e170d 31333034 30333033 33313134

5a170d32 33303430 31303333 3131345a 302c3111 300f0603 55040313 08636973

636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5 04be4392

051ff956 1786981c 6acbe7ed 880bc95a 1c846bf4 19e381f7 f1e8d0d0 e340f86f

e94ec55b a1714de8 19976ae4 e9196c52 7791873c 794d2eec 4ae90aa5 5b40282c

3aac7fbb 2a2a2e36 77906a25 a3874d98 7f51e370 266068d8 f5adbd97 bd204ce0

61943442 ae73ce78 4f2b0daa 53374044 07f4df39 eed0e80c 2b92af02 03010001

300d0609 2a864886 f70d0101 05050003 8181001e 41c1636b c86357f6 94585bc0

2fe4bf2f b9f0cc4a 108f3cbf 830ebe54 fb6c87e6 04ad11a4 3fec5ced 5f6f9784

9f423788 c7de4b5b b7226d81 262ee3b6 ff0adffe 4e49ed7a 42c74d4b f52f0456

1b8feb3f f19efdc5 adaced62 c4bd7180 107feb06 8658937e 8cb2a154 7486de37

9b00c44c d17f967e 5fbe4584 c71fd389 55d670

quit

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

dhcpd dns 64.59.144.19

dhcpd address 192.168.52.5-192.168.52.15 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username mp password AILiHuRWFGgkbsI5 encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

class class-default

set connection decrement-ttl

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d9c334f272663925bc56c7e3b7fd0aa5

: end

Switch connected to DMZ port config

Switch#sh running-config

Building configuration...

Current configuration : 2668 bytes

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Switch

aaa new-model

aaa authentication login MP none

aaa session-id common

ip subnet-zero

ip dhcp excluded-address 192.168.69.1

ip dhcp pool MAHESH

import all

network 192.168.69.0 255.255.255.0

default-router 192.168.69.1

dns-server 64.59.144.19

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

interface FastEthernet0/1

switchport access vlan 12

switchport mode dynamic desirable

interface FastEthernet0/2

switchport access vlan 12

switchport mode access

spanning-tree portfast

interface FastEthernet0/3

switchport mode dynamic desirable

interface FastEthernet0/4

switchport mode dynamic desirable

interface FastEthernet0/5

switchport mode dynamic desirable

interface FastEthernet0/6

switchport mode dynamic desirable

interface FastEthernet0/7

switchport mode dynamic desirable

interface FastEthernet0/8

switchport mode dynamic desirable

interface FastEthernet0/9

switchport mode dynamic desirable

interface FastEthernet0/10

switchport mode dynamic desirable

interface FastEthernet0/11

switchport mode dynamic desirable

interface FastEthernet0/12

switchport mode dynamic desirable

interface FastEthernet0/13

switchport mode dynamic desirable

interface FastEthernet0/14

switchport mode dynamic desirable

interface FastEthernet0/15

switchport mode dynamic desirable

interface FastEthernet0/16

switchport mode dynamic desirable

interface FastEthernet0/17

switchport mode dynamic desirable

interface FastEthernet0/18

switchport mode dynamic desirable

interface FastEthernet0/19

switchport mode dynamic desirable

interface FastEthernet0/20

switchport mode dynamic desirable

interface FastEthernet0/21

switchport mode dynamic desirable

interface FastEthernet0/22

switchport mode dynamic desirable

interface FastEthernet0/23

switchport mode dynamic desirable

interface FastEthernet0/24

switchport mode dynamic desirable

interface GigabitEthernet0/1

switchport mode dynamic desirable

interface GigabitEthernet0/2

switchport mode dynamic desirable

interface Vlan1

no ip address

shutdown

interface Vlan12

ip address 192.168.69.1 255.255.255.0

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.69.2

ip http server

ip http secure-server

control-plane

line con 0

privilege level 15

line vty 0 4

privilege level 15

line vty 5 15

privilege level 15

end

Thanks

Mahesh

Message was edited by: mahesh parmar

ASA unable to ping internet from DMZ

Jouni Forss — Sat, 06 Apr 2013 16:51:24 GMT

Hi,

On the ASA side you will naturally need to add the NAT configuration for the DMZ before it can access the internet

nat (DMZ) 1 192.168.69.0 255.255.255.0

I am not sure what plans you have for the DMZ switch but you dont necesarily need it as a L3 switch. You could simply configure every port to be part of Vlan12 as Access ports and connect it to the ASA. On the ASA you could then configure the DHCP pool and provide the default gateway IP address for DMZ hosts that are configured with DHCP. Otherwise the host would staticly configured to use the ASA DMZ interface IP as the gateway.

- Jouni

ASA unable to ping internet from DMZ

mahesh18 — Sat, 06 Apr 2013 17:13:09 GMT

Hi Jouni,

When you say simply config every port to be part of Vlan12 as access port do you refer to switch or ASA?

This is the config of NAT i did

global (DMZ) 1 interface

nat (DMZ) 1 192.168.69.0 255.255.255.0 outside

Need to confirm if this is correct config?

Also currenly PC connected to switch has default gateway which is switch vlan 12 int IP.

How can i config the gateway on switch so that users on PC can access the internet?

Regards

MAhesh

Re: ASA unable to ping internet from DMZ

Jouni Forss — Sat, 06 Apr 2013 17:28:22 GMT

Hi,

With the Access port for Vlan12 I was thinking more of the switch you have connected to the ASA Vlan12.

If you dont happen to need it for any kind of routing you could leave that to the ASA to handle. You can handle the DHCP on the ASA too for the DMZ though the DHCP naturally aint as flexible as on the switch side.

You could for example configure the switch ports with

Switch

interface FastEthernet0/1

description Link to ASA

switchport mode access

switchport access vlan 12

swithcport nonegotiate

spanning-tree portfast

interface range FastEthernet0/2 - 24

description DMZ Host

switchport mode access

switchport access vlan 12

swithcport nonegotiate

spanning-tree portfast

ip default-gateway 192.168.69.2

no ip route 0.0.0.0 0.0.0.0 192.168.69.2

ASA

On the ASA you dont really need this command

no global (DMZ) 1 interface

You dont really need a translation between the local interfaces (which is what this would enable

The configuration

nat (DMZ) 1 192.168.69.0 255.255.255.0

Should be enough.

You could remove the DHCP from the switch and configure DHCP on the ASA for the DMZ Vlan12 users

dhcpd address 192.168.69.3-192.168.69.13 DMZ

dhcpd enable DMZ

The DNS server is already globally set on the ASA to be 64.59.144.19 for all of its interfaces.

After this you could test that the hosts on the DMZ switch get the DHCP IP from the ASA directly and then test connectivity to the Internet.

- Jouni

Re: ASA unable to ping internet from DMZ

Jouni Forss — Sat, 06 Apr 2013 17:40:48 GMT

What kind of license do you have on the ASA by the way?

It seems you would have a Base License but how many users?

The very default ASA5505 only supports 10 users which is kinda low amount if you have some LAN users and DMZ servers. Hopefully you are not running into the user limit on the ASA

You can naturally check the ASA license with "show version"

Also you can confirm that the ASAs rules are ok regarding the DMZ interface with the "packet-tracer" command

For example

packet-tracer input DMZ tcp 192.168.69.100 12345 8.8.8.8 80

The values used in the above command are just random ones used. Its just sopposed to simulate a HTTP connection coming from the DMZ to the outside.

- Jouni

ASA unable to ping internet from DMZ

mahesh18 — Sat, 06 Apr 2013 18:26:48 GMT

Hi Jouni,

I did as per your above post.

From PC i can ping the IP 192.168.69.2 but no internet sites ?

Also from PC i am unable to ping the ASA outside interface it is by design that i can not ping it?

Regards

MAhesh

ASA unable to ping internet from DMZ

mahesh18 — Sat, 06 Apr 2013 18:29:27 GMT

Hi Jouni,

This ASA has base license only as i am doing some testing on this before we put this on production.

We only need few servers on this now that will be part of DMZ project.

Regards

Mahesh

ASA unable to ping internet from DMZ

Jouni Forss — Sat, 06 Apr 2013 18:30:09 GMT

Hi,

You cant ping an interface from anywhere else other than behind that same interface. So hosts on outside can ping the "outside" interface and hosts on DMZ can ping the "DMZ" interface. There are some special cases where it will work but they dont apply to this situation.

Have you tried to browse the Internet through the DMZ or are you just trying to ping?

Did you do the above "packet-tracer" test to simulate what the firewall would do to the DMZ connections?

- Jouni

ASA unable to ping internet from DMZ

mahesh18 — Sat, 06 Apr 2013 19:01:02 GMT

Hi Jouni,

Here is output of packet tracer

ciscoasa# packet-tracer input DMZ tcp 192.168.69.2 22222 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Also just curious to know if i can access the ASDM by DMZ?

I did the sh NAT command on ASA to see if NAT for DMZ is working or not it shows no hits.

Regards

mahesh

Re: ASA unable to ping internet from DMZ

Jouni Forss — Sat, 06 Apr 2013 19:14:06 GMT

Hi,

You didnt use the command I posted.

You are using the DMZ interface IP address on the "packet-tracer" command and that is the reason it fails.

Please use the command I suggested.

You can access the ASDM from a DMZ host.

You just need to add on the ASA

http 192.168.69.0 255.255.255.0 DMZ

This should allow any host on the DMZ network to access the ASA by ASDM.

Also you could use the "show arp" command and see if the ASA sees any hosts on the DMZ interface if you are using some host on the DMZ for the connection tests.

- Jouni

ASA unable to ping internet from DMZ

mahesh18 — Sat, 06 Apr 2013 19:18:43 GMT

Hi Jouni,

Here is NAT info from ASA

iscoasa# sh nat

NAT policies on Interface inside:

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside any outside any

dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

translate_hits = 7784, untranslate_hits = 540

match ip inside any _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside any DMZ any

dynamic translation to pool 1 (No matching global)

translate_hits = 4, untranslate_hits = 0

NAT policies on Interface DMZ:

match ip DMZ 192.168.69.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip DMZ 192.168.69.0 255.255.255.0 DMZ any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip DMZ 192.168.69.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

ciscoasa#

ASA unable to ping internet from DMZ

Jouni Forss — Sat, 06 Apr 2013 19:20:49 GMT

Hi,

Can you post the output of the "packet-tracer" command I suggested and also the current ASA configuration.

- Jouni

ASA unable to ping internet from DMZ

mahesh18 — Sat, 06 Apr 2013 19:46:30 GMT

Hi Jouni,

Here is output of packet tracer

ciscoasa# packet-tracer input DMZ tcp 192.168.69.100 12345 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 1 192.168.69.0 255.255.255.0 outside

match ip DMZ 192.168.69.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8575, packet dispatched to next module

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ciscoasa# sh arp

inside 192.168.52.8 f0bf.97de.4f48 3098

inside 192.168.52.6 f0bf.97de.4f48 11569

outside 192.168.11.1 0009.e8a2.0080 3324

DMZ 192.168.69.3 f0bf.97de.4f48 1611

DMZ 192.168.69.1 000b.fd1c.0800 10540

Here is sh run

ciscoasa# sh running-config

: Saved

ASA Version 8.2(5)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 11

interface Ethernet0/1

switchport access vlan 12

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.1 255.255.255.0

interface Vlan11

nameif outside

security-level 0

ip address 192.168.11.2 255.255.255.0

interface Vlan12

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.69.2 255.255.255.0

boot system disk0:/asa825-k8.bin

ftp mode passive

pager lines 24

logging enable

logging timestamp

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.69.0 255.255.255.0 outside

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.0.0 255.255.0.0 DMZ